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Abstract 

> : 

Q i We consider the problem of formalizing in higher-order logic the fa- 

. miliar notion of widening from abstract interpretation. It turns out that 

many axioms of widening (e.g. widening sequences are ascending) are not 
useful for proving correctness. After keeping only useful axioms, we give 
an equivalent characterization of widening as a lazily constructed well- 
founded tree. In type systems supporting dependent products and sums, 
this tree can be made to reflect the condition of correct termination of the 
widening sequence. 
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, 1 The usual framework 

£C) . We shall first recall the usual definitions of abstract interpretation and widening 

k>" ' operators. 

(N ' 
(N 

f — . 1.1 Abstraction and concretization maps 

Abstract interpretation is a framework for formalizing approximation relation- 
ships arising in program semantics and static analysis 0, S[ ■ Soundness of the 
abstraction is expressed by the fact that the approximation takes place in a 
f^i , controlled direction. In order to prove that a given set of undesirable states 

is unreachable, we can compute a superset of the set of reachable states (an 
over-approximation thereof), in the hope that this set does not intersect the set 
^ ■ of undesirable states. If order to prove that we eventually reach a given set of 

states, we can compute a subset of the set of states that eventually reach them 
(an under- approximation thereof), in the hope that this set includes the initial 
states. 

Most introductory materials on abstract interpretation describe abstraction 
as a Galois connection between a concrete space S (typically, the powersct "P(X) 
of the set of states £ of the program, or the powerset of the set of finite execution 
traces S* of the program) and an abstract space SK For instance, if the program 
state consists in a program counter location, taken within a finite set P of 
program locations, and three integer variables, S = Px Z 3 , S = V{P x Z 3 ), the 
abstract state can be, for instance, a member of 5" = P — » ({-L} U I 3 ), where 
P is the set of program locations, a — » b denotes the set of functions from a 
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to b, I is the set of well-formed pairs (a, b) defining intervals (a G Z U {— oo}, 
6gZU{+oo} and a < b) and _L is a special element meaning "unreachable". 
S and S 1 " are ordered; here, S is ordered by set inclusion C and S* is ordered 
by Cp, the pointwise application of C for all program locations: _L C x" for 
all x in 5", and ((oi, 61), (a 2 , 62), (03, 63)) E ((a'i, &i), (oa> ( a 3> if for all 
1 < i < 3, < aj and 6^ < 6^. For the sake of simplicity, we shall give 
examples further on where P is a singleton; the generalization to any finite P 
is straightforward. P — > ({±}U/ 3 ) is then isomorphic to {±} U I 3 and we 
shall thus consider, as a running example, the case where S is "P(Z 3 ) and S 1 " is 



7. 7 maps any abstract state x* to the set of concrete states that it represents. 
Here, 7 ((ai, 61), (02, 62)) (03, 63)) is the set of triples (i>i, V2, 1)3) such that for 
all 1 < i < 3, «j < u,; < 6j. a maps a set a; of concrete states to the "best" 
(least) abstract element x" such that x C 7(x"). Here, if x C Z 3 , then for all 
1 < i < 3, a,i = inf(^ li „ 2it)3 ) ex Vi and bi = sup/,,^,, „ 3 \ ea . Wj. 7 must be monotone 
with respect to C and C: if x* C y", then 7(x") C 7(2/"). 

In some presentations of abstract interpretation, abstract elements x" are 
identified with their concretization j(x*). For instance, one talks directly of the 
interval [a, b], not of the pair (a, 6). This can make explanations smoother by 
clearing up notations. It is however important for some purposes to distinguish 
the machine representation of an abstract element x" from its concretization 
7(x"), if only because 7 may not be injective. For instance, x = y A x < 1 and 
x = y A y < 1 define exactly the same part of the plane (as geometrical convex 
polyhedra) but are different in their machine representation. This is the same 
difference as that between the syntax and the semantics of a logic. 

In this article, we ditinguish this syntactic and semantical aspects, for several 
reasons. First, certain abstract operations may be sensitive to the syntax of 
an abstract element; that is, they may yield different results for x" and y" 
even though 7(x") = 7(2/"), as we shall recall in i ll. 31 about the polyhedra and 
octagons. 

Also, while in many cases C is defined by a C b <^=> 7(a) C 7(6), this 
relation may sometimes be too costly or impossible to compute, and some 
smaller relation may be used. For instance, if one uses a product of several ab- 
stract domains D\ x . . . x D^, each Di fitted with a decidable ordering Cj, and 
j{x\ , . . . , x'J = 7i(xf) fl. . . n7 m (xj n ) then it is straightforward to consider the 
product ordering (xi, . . . , x rra ) C (x^, . . . X' . 

If x C x' for this ordering, then 7(x) C 7(x'), but the two are not necessarily 
equivalent. Consider for instance a simplification of the domain of difference 
bounds [l^, expressed as a product of simpler domains: the concrete states in 
Q 3 , the abstract domains D\ = D\ = d\ = Q, 71 (ci) = {(x,y, z) e Q 3 x-y < 
ci}, 72(c 2 ) = {(x,y,z) eQ 3 \y-z< c 2 }, 7a(c 3 ) = {(x,y,z) G Q 3 | x-z < c 3 }. 
Obviously, 7(1,1,2) = 7(1,1,3), yet (1,1,3) g (1,1,2). In order to use the 
product ordering, one has to perform beforehands a reduction operation map- 
ping (1, 1, 3 to (1, 1, 2), but such an operation may be nontrivial: the one in the 
octagon abstract domain involves a Floyd- Warshall shortest path computation, 
the one in the template linear constraints [2p| involves linear programming. In 
the case of real-life static analysis tools, e.g. the Astree static analyzer 
with many nontrivial abstract domains interacting, it is not obvious whether 
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7( a ) £ 7(&) is decidable, and even if it were, how to decide it within acceptable 
time. 

Finally, since our goal is to write programs and proofs in a proof assis- 
tant based on intuitionistic type theory, we thought it best to clearly separate 
the computational, constructive content from the non-computational content: 
membership in the set of reachable states of a program is, in general, recur- 
sively enumerable but not recursive (from Turing's halting problem: one cannot 
in general decide whether the "end" line of the program is reachable); thus the 
characteristic function of that set cannot be defined by constructive logic, since 
this would involve describing an algorithm computing that function. 

1.2 Obtaining invariants 

Abstract interpretation replaces a possibly infinite number of concrete program 
execution, which cannot be simulated in practice, by a simpler "abstract" exe- 
cution. For instance, one may replace running a program using our three integer 
variables over all possible initial states by a single abstract execution with in- 
terval arithmetic. The resulting final intervals are guaranteed to contain all 
possible outcomes of the concrete program. More formally, if one has a tran- 
sition relation r C £ x S, one defines the forward concrete transfer function 
f T : S — ► S as f T (x) = {cr' | a —* r a' A a 6 x}. f T (W) is the set of states 
reachable in one forward step from W. We say that the abstract transfer func- 
tion fj'ipfi) is a correct abstraction for f T if for all x", f T o 7(2;") C 7 o / T *(x"). 
This soundness property means that if we have a superset of the concrete set of 
states before the execution of t, we get a superset of the concrete set of states 
after the execution of r. 

As usual in program analysis, obtaining loop invariants is the hardest part. 
Given a set xq Q E of initial states, we would like to obtain a superset of the 
set of reachable states Xoo = {a 1 \ a a' A a <E xq}. The set of states x n 
reachable in at most n steps from xq is defined by induction: x n+ i — <f>(x n ), 
where <fr(x) = f T (x) U xq is monotone, because f T is by definition a U-morphism. 
The sequence (x n ) is ascending, and its limit is Xqc, which is the least fixed 
point of </> by Kleene's fixed point theorem; this sequence is thus often known as 
Kleene iterations. Xoq is also known as the strongest invariant of the program. 
An inductive invariant or post-fixpoint is a set x such that xq Q x and f T (x) C x, 
and by Tarski's theorem, the intersection of all such sets is x^. 

Obviously, the set of all possible states (often noted T) is an inductive in- 
variant, but it is uninteresting since it cannot be used to prove any non-trivial 
property of the program. A major goal of program analysis is to obtain program 
invariants x that are strong enough to prove interesting properties, without be- 
ing too costly to establish. 

In some cases, interesting inductive invariants may be computed directly. 
Various approaches have recently been proposed for the direct computation of 
invariants, without Kleene iterations. Costan et al. @ proposed a method for 
computing least fixed points in the lattice of real intervals by downward policy 
iteration, also known as strategy iteration, a technique borrowed from game 
theory; they later extended their framework to other domains. Gawlitza and 
Seidl [l2| proposed a method for computing least fixed points in certain lattices 
by upward strategy iteration. Monniaux (l7l [l8| showed that least fixed point 
problems in some lattices expressing numerical constraints can be reduced to 
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quantifier elimination problems, which in turn can be solved algorithmically. 
Other recent proposals include expressing the least invariant problem in the 
abstract lattice directly as a constrained minimization problem, then solving it 
with operational research tools Q . One common factor to these approaches is 
that they target specific classes of abstract domains and programs; in addition, 
they may also suffer from high complexity. 

1.3 Abstract Kleene iterations and widening operators 

The more traditional approach to finding inductive invariants by abstract inter- 
pretation is to perform abstract Kleene iterations. Let Xq be an abstraction of 
xq. Define cffi(x^) = /|(x") U Xq, where U is a sound overapproximation of the 
concrete union U: 7(x") U 7(2/") C 7(2^ U y*). From the soundness of /| and U, 
(jr is a sound abstraction of </>: for all x", <j) o 7(x") C 7 o <j$ (x"). By induction, 
for all n, x n C 7(xfJ: assuming x n Q 4>{ x n)i x n+i = 4>{ x n) Q 4> 7(xfJ C 
7°<^(4)=4+l- 

In many presentations of abstract interpretation, it is supposed that the ab- 
stract transfer function /| and the abstract union U are monotonia Intuitively, 
this means that if the analysis has more precise information at its disposal, 
then its outcome is more precise. This is true for elementary transfer functions 
in most abstract domains, and thus of their composition into abstract trans- 
fer functions of more complex program constructions. A well-known exception 
is when the abstract transfer function is itself defined as the overapproxima- 
tion of a least fixed-point operation using a widening operator (see below), yet 
there exist less well-known cases where the abstract transfer function may be 
non-monotonicQ 

Let us nevertheless temporarily assume that /| and U and, thus, cfr, are 
monotonic, and that a", 6" C a" U 6" for all a" and bK Then xo" E xi" and by 
induction, for all n, being monotonic, 4 = 0"™(xo") E 0"™(xi") = 4+ii 
the sequence xf, is therefore ascending. If this sequence is stationary, there is 
a N such that x S N+1 = x* N . Then, 7(xJ v ) = 7(x5v +1 ) = 7(/l(4) u 4) 2 
7 o fl{x%) D f T o 7 (4), and 7 (x« v ) = 7 (x« v+1 ) = 7 (/|(4) U 4) 2 7(4), 
which means that 7 (x^) is an inductive invariant. Obviously, if the abstract 
domain S" is finite, then any ascending sequence is stationaryjj 

More generally, the same results hold for any domain of finite height (there 
exists an integer L such that any strictly ascending sequence has at most length 

^uch is for instance the case of the symbolic constant propagation domain proposed by 
Mine fl6l . §51 115|. §6.3.4], The full symbolic propagation strategy can induce non-monotonic 
effects: if the analysis knows more relationships, it can perform spurious rewritings and para- 
doxically provide a less preci se result. 

The same is true of iMinet s linearization step, which dynamically abstracts nonlinear ex- 
pressions as linear expressions. Consider the nonlinear expression x X y where x £ [m x , M x ], 
y G [m y ,M y ] and m x ,m v > 0: a choice has to be made between several valid linearizations, 
here x X [m y , M y ] and [m x ,M x ] X y. While all choices between candidate linearizations lead to 
sound results, they do not have the same precision and the choice heuristic does not necessarily 
choose the one leading to the most precise results later on. 

2 This explains the popularity of Boolean abstractions: S' is the set of sets of bit vectors 
of fixed length L, and these sets are often represented by reduced ordered binary decision 
diagrams (ROBDD) jjj]. Reachability analysis in BDD-based model-checkers is thus a form 
of Kleene iteration in the BDD space. Very astute implementation techniques, involving 
generalized hashing of data structures, ensure that equality tests take constant time and that 
</>» is computed efficiently 
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L), and, even more generally, for any domain satisfying the ascending chain 
condition (there does not exist any infinite strictly ascending sequence). Yet, 
even the very simple domain of products of intervals that we defined earlier does 
not satisfy the ascending chain condition! 

In domains that do not satisfy the ascending condition, the abstract Kleene 
iterations may fail to converge in finite time. Such is the case, for instance, of 
the interval abstraction of the program with a single integer variable defined by 
the transition system r: for all n, n —> T n + 1, and the initial state is 0. The 
best abstract transfer function <jfl maps a pair (0, n) representing an integer 
interval {0, . . . , n} to the pair (0, n+1), thus the abstract Kleene iterations are 
x n = (0j n ) an d the analysis fails to converge in finite time. 

The traditional solution to the convergence problem in domains that do 
not satisfy the ascending chain condition is to use a widening operator, which 
is a form of convergence accelerator applied to abstract Kleene iterations @, 
Def. 4.1.2.0.4] 0, §4]. Intuitively, the widening operation examines the first 
abstract Kleene iterations and conjectures some possible over-approximation of 
the limit, which is then checked for stability; further iterations may be necessary 
until an inductive invariant is reached. For each infinite height domain, one or 
more widening operators must be designed. Consequently, most literature on 
abstract interpretation domains includes descriptions of widening operators. 

For instance, the interval abstract domain can be fitted with a simple widen- 
ing discarding unstable bounds [1] , then later with the less brutal "widening up 
to" [HI, §3.2] or "widening with thresholds" d §6.4]@, §7.1.2]. The domain of 
convex polyhedra was first fitted with a very simple widening that discarded all 
unstable constraints (To| . but this widening was later refined in order to make 
it insensitive to syntactic variations in the way semantically equivalent con- 
straints were given [3, p. 56-57] [H, §2.2]. Mine [l5| fitted the octagon abstract 
domain with a similar construction, widening to +oo the unstable constraints. 
Again, this widening was sensitive to syntax, which lead to proposals of semantic 
widenings [l|. Widening techniques are not restricted to numerical domains; for 
instance there are specific techniques for widening over automata [ill ] (roughly 
speaking, they overapproximate a language defined by an automaton by the 
language defined by a quotient, of limited size, of that automaton; the limited 
size ensures termination). 

Here is the most common definition: 

Definition 1. A widening operator V on an abstract domain (S", C) is a binary 
operator that satisfies the three following properties: 

1. C a^Vy" 

2. y B C a^Vy 11 

3. for any sequence uj,, a sequence of the form wfi+i = u^Vnf, is ultimately 
stationary. 

We can then use u\ = Xq, u\ l+l = it^V </>*(«!). By the third property of 
the widening operator, there exists N such that u^ N = u^ N S7 (t/ n ) . Thus, 
4>H u n) E u%, and 7 o ^(u^) C •y(u t N ). But x U f T o 7(7^) = i( u n) ^ 
70^)" (vP N ) C 7(wJv) thus f T °l(u\f) Q 7( u ?v) an d l( u %) is an inductive invariant. 

Let us now have a second look at the hypotheses that we used to establish 
that result. Though it is often assumed that the abstract domain is a complete 
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Figure 1: Interpretation of widening as a well-founded tree for the domain 
lC2c3c... + oo. This domain may be used to construct the domain of 
intervals: an interval [x,y] is represented by the pair (— x,y) S N 2 , pointwisc 
ordered, and the widening operation described here is applied to each coordinate. 
Each node represents a proposal u^ n from the widening system. Each edge is 
labelled with the answer from the analysis system. The widening system 
either answers C when it determines that v^ n C u^, or makes a new proposal. 
A proposal of +00 forces termination: whatever the analysis system then 
supplies, vfi n C +00 (we left out its outgoing branches, all finishing in A 
path from the root of the tree is an abstract Kleene iteration sequence. The 
well-foundcdness of the tree ensures the termination of such sequences. 



lattice, and that the abstract transfer function is monotonic, we never used 
cither hypotheses. In fact, the only hypotheses that we used are: 

• f T is monotonic and the concrete domain V(S) is a complete lattice, thus <f> 
has a least fixed point which is the least inductive invariant of the program. 

• For all J and 6 B , $ C a S V6 s . 

• For all sequence any sequence defined by U„+i = u n^ v n ' 1S stationary. 

2 Relaxation of conditions and interpretation in 
inductive types 



During our work on the Astree tool 



and when formalizing the notion of 



widening in the Coq proof assistant [2| |f| we realized that the usual definitions 
of abstract domains and widenings are unnecessarily restrictive for practical 
purposes. Pichardie 0, §4.4] already proposed a relaxation of these conditions, 
but his definition of widenings is still fairly complex. We propose here a dras- 
tically reduced informal definition of widenings, which subsumes both the C 
ordering and the V operator; this definition will be made formal as Dcf. [3] 



3 Coq is a proof assistant based on higher order logic, available from http: //coq . inria. f r | 
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Definition 2. A widening system is an algorithm that proposes successive 
abstract elements w Q ,u\, . . . ,u\ l to the rest of the analyzer, and receives u|j 
from it. It can then either terminate with some guarantee that 7(1^) C 7(1^), 
or propose the next element The system never provides infinite sequences. 

In practical use, v\ = 4>H u n) and is an abstraction of the concrete trans- 
former of a loop or, more generally, of a monotonic system of semantic equa- 
tions. 

It is obvious that any widening that verifies the conditions of Def. [T] also 
verifies these conditions. Note that Def. [5] is strictly laxcr than Def. [TJ For 
instance, we make no requirement that 7(1*^) Q l( u L+i)i a widening system 
could first try some ascending sequence u ,...,u^, regret, and restart with 
another sequence u^ n , 1: . . .. 

A more mathematical way of seeing this definition is by interpreting the 
widening system as a well-founded tree: 

Definition 3. Let S* be an abstract domain with the associated concretization 
map 7. Let C be a preordcr over S 1 " such that 7 is monotonic. A widening 
system is a well-founded tree whose nodes are labeled by elements of S* (there 
may be several nodes with the same label). From a node labeled with u\ there 
are branches labeled with every v& such that u" % uK 

Let Uq be the label for the root of the tree, and let Uq, Vq, u\, . . . be a path 
into the tree consisting in successive nodes and edges. Because the tree is well- 
founded, this path is finite, which means that it terminates with u^ N ,v^ N such 
that Vpf C vP N . This recalls the termination property of Def. [1] 

Definition [3J combined with the C test can be easily recast as couple of 
mutually inductive types : 

widening = S' x (S* — > answer) , . 

answer = termination \ next of widening 

From each node labeled by ufi, for each there is an edge labeled by u", 
which either leads to "termination" if v* E it*, or to another node (see Fig. |T|) . 

Note that, even in an eager language such as Objective Caml, the widening 
tree is never constructed in memory: its nodes are constructed on demand by 
application of the function — > answer. 

In a higher-order type system with dependent sums and products such as the 
Calculus of inductive constructions (as in Coq), the above inductive datatype 
can be adorned with proof terms. A tree node widening is a pair (u',a) where 
a maps each t>" to an answer. a(u") is either "C", carrying a proof term stating 
that 7(w") C 7(11"), or another widening tree node. 

3 Implementation in Coq 

We shall first show how to implement our concept of widening system in Coq, 
then we shall give a few concrete examples of how common abstract interpreta- 
tion techniques can be implemented within this frameworkQ 



4 Source code may be downloaded from 
http: //www- verimae . imas.fr/-monniaux/download/domains coq . zi 



3.1 Framework 



We assume we have an abstract domain S with an ordering domain_le (repre- 
senting C). In practice, this ordering is supposed to be decidable: there exists 
a function domain_le_decide that takes x and y as inputs and decides whether 
x C y. 

The answer is the disjunctive sum {domain_le y x} + widening: it cither 
provides a new widening object, or a proof that y C x. By inlining this type 
into the definition of widening, we obtain: 

Variable S : Set. 

Hypothesis domain_le : S -> S -> Prop. 
Hypothesis domain_le_decide : 
forall x y : S, 

{ domain_le x y } + {" (domain_le x y) }. 

Inductive widening: Set := 

widening_intro : forall x : S, 

(forall y : S, widening + {domain_le y x}) -> widening. 

Note that all properties desired of the widening are lumped in this definition. 
The Inductive keyword introduces a type whose elements are all well-founded 
by construction; Coq will make it impossible to create widening trees that are 
not well-founded. The correct termination property (termination only if v* C 
it") is also ensured by construction: a leaf edge corresponding to and u" may 
be constructed only by giving a proof of i>" C it" (a term belonging to the type 
domain_le u" it"). 

In the above definition, we have added the hypothesis that C is decidable 
(domain_le_decide). This is not needed for this definition, but is useful in many 
constructions, and is a very reasonable assumption to make. Indeed, the reason 
why we introduced C as just any order such that 7 is monotonic, and not the 
most precise one, is that the most precise one might not be decidable, or too 
costly to decide effectively. 

Since widening is an inductive type, defining well-founded trees, it is possible 
to define functions by induction over elements of that type. One especially 
interesting inductively defined function takes /" : S* — > S" as a parameter and 
computes x" such that /"(a;") Q x" by well-founded induction over the widening 
tree. On a widening node labeled by u", it computes t>" = /"(u") then requests 
the "answer" from the widening node on the value xr : 

• Either it answers with another widening node and the function is called 
recursively. 

• Or it answers with a proof that v* C u" and the algorithm terminates with 
the requested answer (both w," and a proof that /"(«.") Cm'). 

Section Recursor. 
Variable f : S -> S. 

Fixpoint abstract_lf p_rec 

(iteration_step : widening) : 

{ lfp : S I domain_le (f lfp) lfp > := 



8 



let (x, xNext) := iteration_step in 
match xNext (f x) with 

I inleft next_widening => abstract_lf p_rec next_widening 
I inright f x_less_than_x => exist (fun x => domain_le (f x) x) 
x f x_less_than_x 

end. 
End Recursor. 

For ease of use, we pack S, domain_le, an abstraction relation domain_abstracts 
and other related constructs into one single domain record. 

3.2 Examples 

In numerical abstract domains, it is common to use "widening up to" (l3l . §3.2] or 
"widening with thresholds" 0, §6.4] 0, §7.1.2]: one keeps an ascending sequence 
z\, . . . , z\ of "magical" values, and Vy" is the least element z k greater than x^Li 
y* . For instance, instead of widening a sequence of integer intervals [0, 1], [0, 2] 
etc. to [0,+oo[, we may try some "magical" values such as [0,255], [0,32767] 
etc. Yet, if all elements in the sequence fail to define an inductive invariant, we 
are forced to try [0, +oo[. In other words, after trying the "magical" values, we 
revert to the usual brutal widening on the intervals. 

This is easily modeled within our framework by a "widening transformer" : 
taking a widening W as input and a finite "ramp" I of values, it outputs a 
widening W' that first applies the thresholds and, as a last resort, calls W. 
Variable T : domain is a parameter defining the original domain and original 
widening, which is used as the last resort by our transformed widening. Function 
ramp_widening_search searches for the next threshold in the "ramp" . 

Section Widening_ramp . 
Variable T : domain. 

Fixpoint ramp_widening_search (bound : (domain_set T)) 

(ramp : (list (domain_set T))) { struct ramp } : (list (domain_set T)) := 
match ramp with 
I nil => ramp 
I (cons ramp_h ramp_t) => 
match (domain_le_decide T bound ramp_h) with 
I left _ => ramp 

I right _ => ramp_widening_search bound ramp_t 
end 
end . 

Fixpoint ramp_widening (ramp : (list (domain_set T) ) ) : 
(widening (domain_set T) (domain_le T)) := 
match ramp with 
I nil => domain_widening T 
I (cons ramp_h ramp_t) => 

(widening_intro (domain_set T) (domain_le T) ramp_h 
(fun (y : (domain_set T)) => 
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match domain_le_decide T y ramp_h with 
I left STOP => 
inright 

(widening (domain_set T) (domain_le T)) STOP 
I right _ => 
inlef t 

(domain_le T y ramp_h) 

(ramp_widening (ramp_widening_search y ramp_t)) 

end)) 

end . 

A trick often used in static analysis is to delay the widening 0, §7.1.3]. 
Instead of performing V at each iteration, one performs U for a finite number 
of steps, then one tries V again. For termination purposes, it suffices that there 
is some "fairness property": V should not be delayed infinitely. One can for 
instance choose to delay widening by n steps of U after each widening step. 
This is again implemented as a "widening transformer" : 

Definition delayed_widening_each_step : 

nat -> (widening (domain_set T) (domain_le T)). 

We can similarly build a product domain S\ x S%. The widening on cou- 
ples (oi, a2)v(6i, 62) = (aiVi&i, CI2V2&2) i s implemented by a "widening trans- 
former" taking one widening W\ on S\ and a widening W2 on S\ as inputs, 
and producing a widening on S\ x S\ by syntactic induction on W\ and Wi'- 
if a\ Qi b\ A 02 Z 2 02, then (01,02) E (61,02) for the product ordering and 
one terminates; if ai Ci 61 but 02 %2 62 then one stays on ai but moves one 
step into W2 (and mutatis mutandis reversing the coordinates); if ai %\ b\ and 
02 %2 62, then one moves into both W\ and W%- This implements the usual 
widening on products. This construct can be generalized to any finite products 
of domains. 

4 Conclusion 

By seeing the combination of the computational ordering C and the widening 
operator V as a single inductive construct, one obtains an elegant characteriza- 
tion extending the usual notion of widening in abstract interpretation, suitable 
for implementation in higher order logic. 
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